What criminals do with stolen passwords

By Brian Krebs

December 27, 2012 — 1.12pm

Not long ago, PCs compromised by malware were put to a limited number of fraudulent uses, including spam, click fraud and denial-of-service attacks. These days, computer crooks are extracting and selling a much broader array of data stolen from hacked systems, including passwords and associated email credentials tied to a variety of online retailers.

At the forefront of this trend are the botnet creation kits like Citadel, ZeuS andSpyEye, which continue make it simple for miscreants to assemble collections of compromised machines. Botnets are networks of infected or zombie computers which obey a remote command and control master. The term is also used to define botnet malware which infects the computers. By default, most bot malware will extract any passwords stored in the victim PC's browser, and will intercept and record any credentials submitted in web forms, such as when a user enters his credit card number, address and other details at an online retail shop.

Stolen credentials are useful to a number of scams.

Some of the most valuable data extracted from hacked PCs is bank login information. But non-financial logins also have value, particularly for shady online shops that collect and resell this information.

Logins for everything from Amazon.com to Walmart.com often are resold — either in bulk, or separately by retailer name — on underground crime forums. A miscreant who operates a Citadel botnet of some size (a few thousand bots) can expect to quickly accumulate huge volumes of logs - records of user credentials and browsing history from victim PCs. Without even looking that hard, I found several individuals on the underground Underweb forums selling bulk access to their botnet logs. For example, one Andromeda bot user was selling access to 6 gigabytes of bot logs for a flat rate of $US150 ($144).

Advertisement

Increasingly, miscreants are setting up their own storefronts to sell stolen credentials for an entire shopping mall of online retail establishments. Freshtools sells purloined usernames and passwords for working accounts at overstock.com, dell.com, walmart.com, all for $US2 ($1.90) each. The site also sells fedex.com and ups.com accounts for $US5 a pop, no doubt to enable fraudulentreshippingschemes. Accounts that come with credentials attached to the email addresses on each site can fetch a dollar or two more.

The "Pentagon" store sells a range of merchant site credentials, priced at $US1 ($.96) to $US5 ($4.80).

These shops are just one example of a concept that I have been trying to get across to readers about the many, many uses of a hacked PC. Nearly every aspect of a hacked computer and a user's online life can be and has been commoditised.

If it has value and can be resold, you can be sure there is a service or product offered in the cyber criminal underground to monetise it. I haven't yet found an exception to this rule.